The SMB C-Suite’s Data Security Problem

In an environment of relentless cyber threats, small businesses (SMBs) still too often feel they are not targets for cyberattacks and data breaches. Less than two years ago, Manta researchers found that only 16 percent of small business owners believed they were at risk of a cyberattack, with most believing that the data within their systems was not desired by cybercriminals, and that they would be able to survive an attack should it occur.

Yet, the reality is far from so. Continuum analysts have estimated that the average cost of a cyberattack on a small business is about $54,000 — even higher for firms with up to 1,000 employees. A 10-person company that faces losses of more than $41,000 following a cyberattack may not be able to survive such a crippling hit.

While researchers found that SMBs are luckily waking up to the threat of cyberattacks, many continue to struggle in addressing that risk, with budget restraints and a lack of expertise preventing these firms from becoming as protected as possible.

Even in the last six months alone, IOXO Founder and CEO David Turcotte said he’s seen growth in SMBs’ understanding of their cyber risk exposure. In some ways, Turcotte told PYMNTS, small firms can actually be bigger targets for attackers — and the fallout of a data breach or system shutdown can be disproportionately large, too.

“In a larger organization, the risks are diluted,” he said. “Maybe they attack the legal department, or finance department, or payables. Sometimes, there’s a department within a department. But in a small business, there are two or three people [who] have the keys to the kingdom, and if you get the right one, if that person makes a mistake, their entire business can be shut down.”

Cyberattackers are increasingly going after accounts payable or payroll departments — the points of the enterprise where funds exit, and can be rerouted to a criminal’s bank account. This is the basis for the Business Email Compromise (BEC) scam, which often involves a phishing campaign against accounts payable professionals. Similar scams target payroll professionals with fraudulent emails, claiming to be from legitimate employees and requesting a change to their direct deposits.

While these attacks can be damaging, they don’t necessarily mean the demise of an entire organization. However, when accounts payable, accounting, payroll and other functions are all rolled under a single small business owner, a cybercriminal who is able to trick that CEO or steal their bank login credentials can spell the end for the company.

With that in mind, Turcotte warned that the CEO and the rest of the C-Suite can present some of the biggest cyber risks to an SMB. Sometimes, the cybersecurity policies that a typical employee must follow are viewed as voluntary for the CXO, he noted.

“The rank-and-file employees are working hard every day, and are given a set of tools, and they have to accept that,” said Turcotte. “The folks [who] have the authority to be exceptions to the rule are the ones [who] create security headaches for IT professionals.”

The C-Suite is indeed responsible for not only developing those tools and rules that the enterprise must follow, but is beginning to step up to the plate to lead investments in cybersecurity technologies. IOXO recently announced the launch of CloudWRX, a solution designed to help SMBs migrate entirely to the cloud, while maintaining the security and integrity of their data.

Key to the solution, Turcotte said, is its affordability. To make the cybercrime challenge even harder for small businesses, while the financial implications of an attack can disproportionately harm an SMB compared to a larger enterprise, the costs of cyber protection are disproportionately higher, too. IT professionals agree, with half of IT executives in a recent BAE Systems Applied Intelligence survey reporting that budget is the largest barrier to developing and deploying a comprehensive security plan (nearly the same said cybersecurity efforts are not a high enough priority for business leaders at their firms).

“Having an understanding of [cybersecurity] is really important. Once small businesses realize, ‘Okay, I’m at risk,’ the next step of ‘What do I have to do to protect myself?’ gets dicey,” he explained. “The cost for a lot of small businesses is astronomical.”

The high-profile data breaches and cyberattacks on global conglomerates and government institutions have, on one hand, perhaps misled the small business community about its vulnerability to cyberattacks. On the other hand, they have also raised awareness of cyber threats overall, and Turcotte said small business leaders are finally ready to acknowledge that they won’t necessarily be passed over by an attack.

It’s only the first step to getting secured, however. Adequate education and investment in affordable cyber solutions must be top of mind, particularly for the C-level executives who may think cybersecurity stands in the way of getting business done.

“Sometimes, cybersecurity processes and protocols may not be the most convenient,” said Turcotte. “You always have a push-and-pull relationship between convenience and security. But short-term convenience is not worth risking the entire company.”